FTC Sues Wyndham Hotels Over Repeated Data Breaches

Below:

Next story in Security

The U.S. Federal Trade Commission has filed a lawsuit against
Wyndham Worldwide Corp., alleging that the global hotel chain
unnecessarily exposed customers' credit card data and other
personal information to theft and unauthorized access. The
complaint cites three separate data breaches against which
Wyndham failed to protect its customers.

The FTC lawsuit against Wyndham Worldwide
Corp. charges that the hotel chain's privacy policy
"misrepresented the security measures that the company and its
subsidiaries took to protect consumers' personal information."
In not fully protecting customers' payment data, Wyndham's
security practices were "unfair and deceptive," the FTC
alleges.

The defendants in the case are: Wyndham Worldwide Corp.; its
subsidiary, Wyndham Hotel Group LLC, which franchises and manages
approximately 7,000 hotels; and two subsidiaries of Wyndham Hotel
Group — Wyndham Hotels and Resorts LLC and Wyndham
Hotel Management Inc.

According to the FTC lawsuit, cybercrooks first infiltrated the
network of a Phoenix, Ariz., Wyndham-branded hotel, allowing them
to compromise more than 500,000 payment card accounts and export
hundreds of thousands of card account numbers to a domain
registered in Russia.

This first data breach, in 2008, was followed by another in March
2009, when hackers siphoned clear text files containing the
payment card information from more than 50,000 guests at 39
Wyndham-branded hotels. Again in 2009, another 28 Wyndham hotel
servers were breached, leading to the breach of about 69,000
customers.

The criminals, believed to be the same in all three incidents,
used the stolen
financial data to make at least $10.6 million in
fraudulent purchases.

In all cases, the FTC says Wyndham stored customers' credit card
data in plain text, used default user IDs and passwords, did not
deploy firewalls, allowed
easy-to-guess passwords and did not conduct security
investigations or protect its computers from malware.

"The lack of action after repeatedly being compromised is truly
unacceptable behavior and without the oversight of agencies like
the FTC, consumers are left unaware of the risk they are exposed
to," Chet Wisniewski from the security firm Sophos wrote in a blog.